Scores of faculty, staff and administration have been unknowingly giving their Allegheny credentials over to an internet phishing scam received through an email claiming to share a Dropbox.

The scam began spreading when a student received an email from a non-Allegheny account early in February. When the student clicked on the Dropbox link and entered their requested Allegheny credentials, the student gave over their username and password to a phishing attack that took control of their account and sent a similar email to everyone in their contacts.

Information Technology Services was notified of the spreading scam by Google, which has a feature that monitors email accounts for unusual behavior like emailing multiple mass messages. Once suspicious behavior is detected, Google shuts down the account and notifies the site administrators.

Drew McMillin, the help desk manager and user support specialist at ITS, said ITS must reactivate the account once it has been shut down.

“If you left your account open long enough, there could have been a phase two to the attack,” McMillin said.

He said this could include collecting bank account information, but James Fadden, the director of ITS, said that he does not have reason to believe this could happen at Allegheny.

“As far as we know, this has just caused a lot of chaos,” Fadden said. “My concern is…at some point it’s not going to just be that.”

He emphasized the importance of exercising caution and keeping an eye out for suspicious activity, because the phishing attack could still develop.

Dan Cheung, ’17, was one of the students to receive the email and accidentally surrendered his account information to the attack. The first time he got it, he knew the sender, and so he had no suspicions.

“[My friend and I] were discussing housing at some point, so I thought he sent me a Google doc,” Cheung said.

He entered his information, but Google did not detect suspicious activity, even after an email was sent from his account. As a result, his account was never shut down.

“I actually never did anything about it,” Cheung said.

Despite the number of people who have received the email, Cheung said he believes at this point people are aware of the threat the Dropbox email poses.

“I think people were aware of it, so they knew not to click on it,” Cheung said.

According to Fadden, this phishing scam has been traced back as far as England, to a person who has no direct affiliation to the college. He said the scam could be new, but it could also be years old.

“It could keep coming back if people keep giving credentials,” Fadden said. “With how much we all use technology in different ways, we are the greatest threat to security, because we’re human, and we make mistakes,”

According to Fadden, phishing scams have steadily become more convincing.

“Two or three years ago, if you found bad grammar in [the email], you knew they were fake,” he said.

Fadden said this is the largest phishing attack the college has seen in several years. Because the emails have become so realistic, Fadden recommends users hover over suspicious links before clicking on them and checking the URL that appears in the lower lefthand corner of the screen. If the link claims to be going to one place, but actually links to another, Fadden said the user should not open it.

“The best thing you could do is say, ‘this seems fishy,’” Fadden said.

If a user has already clicked on the link, Fadden encourages them to immediately change their passwords.

Although Fadden believes that using caution and knowing safe practices is important, he said that it still may not be enough.

“Even doing all the right things, bad things still happen,” he said.

Two other phishing scams have been caught before spreading as well, one of which Fadden said was an almost exact replica of real bank emails he has seen before.

“It’s just another example of how pervasive technology is and how important it is for people to be aware of what they’re doing,” Fadden said.